Skip to Content
Author's profile photo Shilpa Vij

Enabling Principal Propagation from client application(HTML5) to backend via SAP Cloud Platform API Management using OAuth

“Principal Propagation”, it is commonly understood as the ability of a system to securely forward

or propagate the authenticated user (principal) from a sender to a receiver in a way that the forwarded user information is kept confidential and – even more important – cannot be changed during transit.

One of the ways for Enabling Principal Propagation is through OAuth.

In this blog, we will see how to enable OAuth configuration, create a destination, assign the destination to the client application and propagate the authenticated user (principal) from a client application(HTML5) to a backend system through SAP Cloud Platform API Management.

Let’s get started!

Creating an OAuth Client

OAuth client is needed to get an access token for the OAuth-protected resources in the application.

In the cloud cockpit, navigate to the subaccount, select OAuth, click on clients and then select “Register a new client”.

Fill in the following details, click on confidential, give the client secret and Save it.

Note: In this scenario, my HTML5 application and Apiportal application are on the same sub-account so trust configuration between accounts is not needed

Configuration on SAP Cloud Connector for On-Premise connectivity

For this scenario, I will be using AP2 SAP Gateway system as a backend

Downloading and configuring cloud connector refer


Type https://localhost:**** on your browser following screen should come up

Enter Username and password to log in as Admin

Click on Add Account to add an account

Fill in the appropriate details as shown below for your account

Under Account Dashboard; Account should be added

As I have added my hanatrial account as host so my hanatrial account should be added as shown below

Now we will be adding the On-Prem system for eg ER9 (S/4 HANA system)

Click on Cloud To On-Premise

Add Backend System as SAP Gateway and Click Next

Select Protocol as HTTPS and click Next

Add host and port of Backend System and click Next

In Virtual Host and port don’t put the same name and port as above

Select Principle Type as X509 Certificate and Click Next

Check the summary, select internal host checkbox and select Finish

The system should get added

Click on Add button under Resources Accessible to add URL path as”/” this is to consider all the resources after “/”

With this, we have configured our backend system in Cloud Connector

Configuration on the SAP Backend (SAP Gateway) Side

Note: – This configuration can be skipped if SAML has been already activated in the SAP Gateway.

Please refer blog under section “Configuration on the SAP Backend (SAP Gateway) Sidefor configuring SAP backend.

Create an API Provider to SAP Gateway System

Login to your SAP Cloud Platform account (say

Navigate to the Services tab, search for API Management service tile and click to open API Management service.

Click on the link Access API Portal to open API Portal.

Navigate to API Provider and click on Create

Give a name lets say “AP2” in this case as we are connecting AP2 backend

Navigate to CONNECTIONS tab and fill the details

Create an API Proxy to connect to SAP Gateway

Navigate to develop and click on create

Fill in the following details and Save and click on Create

Save and Deploy

Copy API Proxy URL and save it in a notepad as it will be used in the destination

Creating Destination on the subaccount

Navigate to the cockpit and from left hand-side select Destinations and click on New Destination

Fill in all the fields

Save the created destination.

Testing the Flow from HTML5 Application

In this blog, the pre-requisite is that HTML5 application is already created and deployed on the same subaccount where we have the API portal subscription and therefore I will not be showing you how to create an HTML5 application.

From the left-hand-side navigate to HTML5 Application and make sure your application is in the started state.

Click on the application and Under required destinations fill in the following details and select the destination created above.

Now copy the application URL.

Append the URL with  URL/APIMgmtEndPoint/< API Proxy name>

Hit the above URL in the browser and without giving user and password, user principal will be propagated to the backend via API Management and you should get the response

Further Reads


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Great work Shilpa. Thanks for sharing. This opens up more possibilities and would enable us to build UIs which leverage APIs exposed via APIM.

      Author's profile photo Shilpa Vij
      Shilpa Vij
      Blog Post Author

      Thanks Murali!


      Author's profile photo Karim Benakli
      Karim Benakli

      Great information, thanks a lot Shilpa. By the way, do you know if there are plans for SAP Gateway to support also Token Introspection,

      Author's profile photo Tino Friedemann
      Tino Friedemann

      Great Tutorial:


      Two questions for this approach:

      • What should be in the redirect URL, this is greyed out, but this is critical to understand the approach
      • Does the approach also works for cloud endpoints running in the same subaccount on a HTML5 runtime or the J2EE Server?

      Thank you!


      Author's profile photo Shilpa Vij
      Shilpa Vij
      Blog Post Author

      Hello Tino,

      Thank for your kind words!

      Answer to your questions

      1. Redirect URL is :- ApplicationURL/APIMgmtEndPoint/<YourAPIProxy name>
      2. Yes, this approach will also work for any application on cloud.